Phishing tests are testing the security team’s technical controls and education; if an employee is duped, it’s the security team, not the employee, that failed. 1/3 coppercourier.com/story/goda…

That’s why employees hate phishing tests when they’re held accountable, it doesn’t prove anything. It’s trivial to create a highly clicked-on email, I’ve created many. Use the click-thru rate as a means to shore up controls and training. 2/3